I'm particularly pleased with the poster image above, designed to accompany the staff seminar:

Malware
The Movie Part XIV:

Invasion
of
the Cryptominers

While the surface was strangely
calm,

far underground the crypt took shape

I had in mind those lurid cult classics such as Invasion of the Bodysnatchers, Friday the Thirteenth or the sinister Hammer horrors with Christopher Lee & co. Our graphics wizz married the concept of a horror movie poster with an image representing digital currency and Bitcoin, bringing it bang up to date. Nice work!

It's "part XIV" because there are (at least!) 13 other recognized types or families of malware already, conveniently averaging about one per year that we've been churning out the 'malawareness' content.

I wonder what horrors will feature in the module this time next year? Will it creep you out if I suggest that, whatever it might turn out to be, it is probably already in the wild, right now?

Don't forget to check under the keyboard tonight, and keep a firm grip on the mouse. Sleep tight.

Feb 27, 2018

The NoticeBored awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago.

It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause, the tip of a very chilly iceberg.

Q: How do systems get infected with cryptominers?

A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them.

Q: How do the crooks benefit?

A: Victims generate money for them, plainly ... but they also expose themselves and their systems to further compromise and exploitation. Ahhhh.

There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'. You'd have thought being suckered once was enough to put people on their guard but it seems not: victims have marked themselves out as vulnerable. "I'm down, kick me again".

I'll leave it there for today as we need to finish the module. Maybe tomorrow I'll have time to blog about the similarities between today's Bitcoin boom and the pyramid or Ponzi schemes of yore.

Feb 25, 2018

The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams.

Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences.

Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say.

Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to devastating and in some circumstances life-threatening forms ... and yet it is virulent (it spreads widely and rapidly) and weakens the host (aside from running the cryptomining software, what else might be going on in the background?).

Perhaps next March when we refresh the malware module yet again, we'll pick up on the biological similarities by bringing up MRSA "superbugs" that have the healthcare and pharmaceutical industries and authorities worried. What will we do if/when our antivirus controls fail us? What is the cybersecurity equivalent of 'deep cleaning the ward' using bleach, with palliative care for patients whose infections we simply cannot treat? If it came down to it, how would we fully isolate and treat an organization whose malware infection seriously threatens the rest of us? Who has the ability, and the authority, to turn off life-support or flip the kill-switch?

It would be good to have kick-started the thinking and planning early, before we find ourselves wallowing around in brown stuff. Security awareness isn't purely about learning from the past, or even the present.

Either way, I'm confident that in a year's time there will be something new and pressing to raise!

The infection was identified back in September 2017, and eradicated within 4 days of detection.

Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data.

Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).

They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.

Anyway, there we go: a relevant little news clip to share and explain through the awareness program, for people to discuss and contemplate. We can use it in the awareness slide decks, briefing papers and maybe as a case study. There are aspects of interest to the general staff audience, to management, and to the professionals/specialists, so we get three times the value from one story. Cool!

At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently.

The idea is for the security awareness people to:

Find out what happened, to whom, when and how;

Speak, discreetly, to the people involved or implicated in the incidents;

Explore the consequences, both for the business and for them personally;

Tease out the tips - lessons worth sharing with others;

Share them.

Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.

Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?

So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:

"Find out about malware incidents from those involved, and share the lessons as part of your awareness program."

While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.

Feb 17, 2018

Integrity is a universal
requirement, especially if you interpret the term widely to include
aspects such as:

Completeness
of information;

Accuracy
of information;

Veracity,
authenticity and assurance levels in general e.g. testing and measuring to
determine how complete and accurate a data set is, or is not (an important
control, often neglected);

Timeliness
(or currency or ‘up-to-date-ness’) of information (with the implication of
controls to handle identifying and dealing appropriately with outdated
info – a control missing from ISO/IEC 27001 Annex A, I think);

Database
integrity plus aspects such as contextual appropriateness plus internal
and external consistency (and, again, a raft of associated controls at all
levels of the system, not just Codd’s rules within the DBMS);

Responsibility
and accountability, including custodianship, delegation, expectations,
obligations, commitments and all that …

…
leading into ethics, professional standards of good conduct, ‘rules’,
compliance and more.

The full breadth of meanings and the implications of
“integrity” are the key reason I believe it deserves its place at information
risk and security’s high table, along with confidentiality and availability. However, for some people in the field (perhaps a greater proportion of
non-native English speakers?), it evidently has a much more restricted meaning,
hence the reason for the note to this definition of
information security:

Those additional properties, and more, are to me all part of “integrity” (plus availability in the case of “reliability”).

By the way, Donn Parker has argued for years
(decades!) that the CIA triad is deficient. Aside from the vagueness of
“integrity” which is at least partially addressed by that note, Donn points out
that there are other, materially different properties or requirements or
features of information that are also an integral part of the domain, such as ownership
and control – and I must say I think he’s right. A significant
part of privacy, for example, is the concept that we data subjects own and
hence have a right to control or choose how our personal information is used,
disclosed, stored, maintained and disposed of, regardless of who actually has
possession of it at any moment, and regardless of the fact that we may have
chosen to disclose it to them, or failed to prevent them accessing it (e.g. by
standing naked at a window!). That, for me, goes beyond CIA, although
some would say it falls under responsibility, accountability and trust which is
part of integrity, and of course there is a confidentiality angle. Regardless of the official/academic definitions, it’s an intriguing
perspective.

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.